Cross posted at Dryad

With increasing mandates and initiatives around open data and software, researchers commonly have to make a choice about where to deposit their non-article outputs. Unfortunately, systems that are built to accommodate these objects work separately and can make the process more difficult. As a result, data, code, figures, and other outputs go to a variety of disconnected places, or improper homes (i.e. code with the wrong license or data not curated). To tackle this issue, and make open research best practices more seamless for researchers, we are thrilled to announce a partnership between Dryad and Zenodo.

Dryad is a leader in data curation and data publishing. For the last ten years, Dryad has focused primarily on research data, supporting a CC0 license and manually curating each incoming dataset. Zenodo, a general use repository hosted at CERN, has been paving the way in software citation and publishing. As long time players in the open science movement, we believe that we can advance open science and open-source projects further by working together. Instead of working individually to broaden each our scopes, building competitive features, and inefficiently using our limited resources, Dryad and Zenodo will be working together to support more seamless workflows that make the process easier for researchers.

To jumpstart this collaboration, we are proud to have been awarded an Alfred P. Sloan Foundation grant that will enable us to co-develop new solutions focused on supporting researcher and publisher workflows as well as best practices in data and software curation. By focusing on integrations between our systems, leveraging data and software expertise, we can both extend the reach of our services and open up more opportunities for broader research communities. We are looking forward to re-imagining the submission process for researchers and how we can better support our journal publishing and institutional communities along the way.

Our leadership teams are dedicated to the future of our co-development projects:

"Dryad has long admired the work Zenodo does in our shared space and we are thrilled to finally find a way to collaborate on a project that benefits researchers around the globe. The Dryad-Zenodo integration is an excellent example of how two like-minded organizations can join together in a shared vision", says Melissanne Scheld, Executive Director at Dryad.

"Dryad and Zenodo have always shared the same Open Science values, this is why we are very excited to partner up with such a talented team and bring the future of scientific publication one step closer to reality. We look forward to this inspiring collaboration with Dryad as well as helping the research community to move science forward, says Jose Benito Gonzalez, Head of Digital Repositories at CERN/Zenodo.

As we embark on this open-source project and partnership together, we invite community feedback and input.

Today, we have updated our public roadmap. Over the summer we have reduced development capacity as staff is on holidays, and thus we're focusing on minor improvements:

• Citations: We're improving the regular updates of citation data from our data sources such as NASA ADS, OpenAIRE, CrossRef and EuropePMC.
• GitHub improvements: We're making some minor optimizations in the release processing workflows.
• Infrastructure: We're growing rapidly, and thus we're in need of upgrading our Elasticsearch cluster.

Our biggest target right now is the preparations for importing a dataset of 300.000 biodiversity treatments records into Zenodo in collaboration with Plazi and Pensoft. We hope to be able to present this work around end-October. These improvements will bring support for geospatioal, temporal and method metadata to Zenodo.

On June 30th, one of our users, Ciro Santilli, reported that he had discovered a Cross-Site Scripting (XSS) vulnerability in Zenodo. We immediately fixed the vulnerability by July 1st and we also verified that the vulnerability was not exploited by malicious users.

What is Cross-Site Scripting (XSS)?

XSS is one of the most common type of vulnerabilities in web applications. A XSS vulnerability is a type of vulnerability where a malicious user is able to inject a client-side script into a website like Zenodo. This will make a victims browser execute the script, which can be used to e.g. hijack user sessions or redirect the victim to a malicious site.

How was the vulnerability discovered?

The issue was reported to us on July 30th by Ciro Santilli. We would like to send a special thank you to Ciro for discovering the issue and responsibly disclosing it to us.

Was the XSS vulnerability exploited?

No. We have scanned our database for malicous use of the vulnerability and have not found any indications on that it was exploited in any way.

Is Zenodo secure to use?

Yes. We take security very serious and do our best to protect your data (read more about what we do on http://about.zenodo.org/infrastructure/).

How do I report a possible security incident?

Please report it directly to us via https://zenodo.org/support. Especially, we ask you to not report it in a public fashion, in order to give us time to deploy a fix for the issue.

How do you handle a reported security incident?

Once we receive your report, we will acknowledge the receipt. We will then proceed to verify the issue and if needed implement and deploy a fix. Once the issue has been fixed, we will publicly disclose the issue via a blog post and atttribute the discovery to you (if you wish to be credited).

Why did it take 14 days to communicate?

The public disclosure of the issue has been coordinated with security relases of Invenio, which is the underlying framework that Zenodo is based on.

As a standard measure and after patching Zenodo, we reviewed the Invenio source code for potential similar issues to those identified in Zenodo. This led to the discovery of three additional XSS vulnerabilities.

See details on http://inveniosoftware.org/blog/security-advisor-20190715/.